您的位置:首页精文荟萃破解文章 → windows tools 1.8 算法分析

windows tools 1.8 算法分析

时间:2004/10/15 0:57:00来源:本站整理作者:蓝点我要评论(0)

 目标软件: windows tools 1.8
软件大小: 689 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 系统设置
应用平台: Win9x/NT/2000/XP
开 发 商: http://www.freewebs.com/lgsoft/
软件介绍:
一款Windows操作系统下的工具软件,主要功能如下:1.加密隐藏,2.文件清理,3.注册表清理,4.启动管理,5.系统设置,6.网络设置,7.内存整理,8.其它功能等。

主要工具:TRW2000 W32DASM Language2000 AspackDie v1.4

用Language2000监测windowstools.exe,发现加了Aspack的壳.用AspackDie脱壳。运行脱壳后的程序,点注册输入:nightstar/987654321 点确定,提示失败,退出,用w32dasm加载主程序,串式查找"对不起,注册未被认证!请检查“注册确认码”。" 代码如下:


:004E1A94 8D55F4 lea edx, dword ptr [ebp-0C]
:004E1A97 8B8320030000 mov eax, dword ptr [ebx+00000320]
:004E1A9D E8BADFF5FF call 0043FA5C
:004E1AA2 8B45F4 mov eax, dword ptr [ebp-0C] //把机器码送入EAX
:004E1AA5 8D55F8 lea edx, dword ptr [ebp-08]
:004E1AA8 E8FBFDFFFF call 004E18A8 //计算注册码,进入
:004E1AAD 8B55F8 mov edx, dword ptr [ebp-08] //D EDX=注册码
:004E1AB0 58 pop eax //EAX=假注册码
:004E1AB1 E8CE31F2FF call 00404C84 //比较注册码是否相等
:004E1AB6 0F851D010000 jne 004E1BD9 //不等跳死
:004E1ABC B201 mov dl, 01

* Possible StringData Ref from Data Obj ->""
|
:004E1ABE A1581F4600 mov eax, dword ptr [00461F58]
:004E1AC3 E89005F8FF call 00462058
:004E1AC8 8BF0 mov esi, eax
:004E1ACA BA01000080 mov edx, 80000001
:004E1ACF 8BC6 mov eax, esi
:004E1AD1 E82206F8FF call 004620F8
:004E1AD6 B101 mov cl, 01

* Possible StringData Ref from Data Obj ->"\SOFTWARE\LGTools"
|
:004E1AD8 BA501C4E00 mov edx, 004E1C50
:004E1ADD 8BC6 mov eax, esi
:004E1ADF E85807F8FF call 0046223C
:004E1AE4 8D55F0 lea edx, dword ptr [ebp-10]
:004E1AE7 8B8314030000 mov eax, dword ptr [ebx+00000314]
:004E1AED E86ADFF5FF call 0043FA5C
:004E1AF2 8B4DF0 mov ecx, dword ptr [ebp-10]

* Possible StringData Ref from Data Obj ->"Name"
|
:004E1AF5 BA6C1C4E00 mov edx, 004E1C6C
:004E1AFA 8BC6 mov eax, esi
:004E1AFC E8B70CF8FF call 004627B8
:004E1B01 8D55EC lea edx, dword ptr [ebp-14]
:004E1B04 8B8328030000 mov eax, dword ptr [ebx+00000328]
:004E1B0A E84DDFF5FF call 0043FA5C
:004E1B0F 8B4DEC mov ecx, dword ptr [ebp-14]

* Possible StringData Ref from Data Obj ->"SN"
|
:004E1B12 BA7C1C4E00 mov edx, 004E1C7C
:004E1B17 8BC6 mov eax, esi
:004E1B19 E89A0CF8FF call 004627B8
:004E1B1E 8BC6 mov eax, esi
:004E1B20 E8A305F8FF call 004620C8
:004E1B25 8BC6 mov eax, esi
:004E1B27 E8F01FF2FF call 00403B1C
:004E1B2C B201 mov dl, 01

* Possible StringData Ref from Data Obj ->""
|
:004E1B2E A1581F4600 mov eax, dword ptr [00461F58]
:004E1B33 E82005F8FF call 00462058
:004E1B38 8BF0 mov esi, eax
:004E1B3A BA01000080 mov edx, 80000001
:004E1B3F 8BC6 mov eax, esi
:004E1B41 E8B205F8FF call 004620F8
:004E1B46 B101 mov cl, 01

* Possible StringData Ref from Data Obj ->"\Software\Microsoft\Windows\CurrentVersion\Exp"
->"lorer"
|
:004E1B48 BA881C4E00 mov edx, 004E1C88
:004E1B4D 8BC6 mov eax, esi
:004E1B4F E8E806F8FF call 0046223C

* Possible StringData Ref from Data Obj ->"MyGroups"
|
:004E1B54 BAC41C4E00 mov edx, 004E1CC4
:004E1B59 8BC6 mov eax, esi
:004E1B5B E80008F8FF call 00462360
:004E1B60 8BC6 mov eax, esi
:004E1B62 E86105F8FF call 004620C8
:004E1B67 8BC6 mov eax, esi
:004E1B69 E8AE1FF2FF call 00403B1C
:004E1B6E 8D45E4 lea eax, dword ptr [ebp-1C]
:004E1B71 E852FEFFFF call 004E19C8
:004E1B76 FF75E4 push [ebp-1C]

* Possible StringData Ref from Data Obj ->"\System\"
|
:004E1B79 68D81C4E00 push 004E1CD8

* Possible StringData Ref from Data Obj ->"SYS.DRV"
|
:004E1B7E 68EC1C4E00 push 004E1CEC
:004E1B83 8D45E8 lea eax, dword ptr [ebp-18]
:004E1B86 BA03000000 mov edx, 00000003
:004E1B8B E87030F2FF call 00404C00
:004E1B90 8B45E8 mov eax, dword ptr [ebp-18]
:004E1B93 E8A87BF2FF call 00409740
:004E1B98 C6835C03000001 mov byte ptr [ebx+0000035C], 01
:004E1B9F 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Windows Tools 注册提示:"
|
:004E1BA1 68F41C4E00 push 004E1CF4
:004E1BA6 8D55E0 lea edx, dword ptr [ebp-20]
:004E1BA9 8B8314030000 mov eax, dword ptr [ebx+00000314]
:004E1BAF E8A8DEF5FF call 0043FA5C
:004E1BB4 8D45E0 lea eax, dword ptr [ebp-20]

* Possible StringData Ref from Data Obj ->", 您的注册通过,谢谢支持!"
|
:004E1BB7 BA141D4E00 mov edx, 004E1D14
:004E1BBC E8872FF2FF call 00404B48
:004E1BC1 8B45E0 mov eax, dword ptr [ebp-20]
:004E1BC4 E86F31F2FF call 00404D38
:004E1BC9 50 push eax
:004E1BCA 8BC3 mov eax, ebx
:004E1BCC E8FF45F6FF call 004461D0
:004E1BD1 50 push eax

* Reference To: user32.MessageBoxA, Ord:0000h
|
:004E1BD2 E87D5CF2FF Call 00407854
:004E1BD7 EB20 jmp 004E1BF9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E1AB6(C)
|
:004E1BD9 C6835C03000000 mov byte ptr [ebx+0000035C], 00
:004E1BE0 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Windows Tools 注册提示:"
|
:004E1BE2 68F41C4E00 push 004E1CF4

* Possible StringData Ref from Data Obj ->"对不起,注册未被认证!请检查“注册确认码”。"
|
:004E1BE7 68301D4E00 push 004E1D30


下面进入004E1AA8的call,看看算法


* Referenced by a CALL at Address:
|:004E1AA8
|
:004E18A8 55 push ebp
:004E18A9 8BEC mov ebp, esp
:004E18AB 83C4F8 add esp, FFFFFFF8
:004E18AE 53 push ebx
:004E18AF 56 push esi
:004E18B0 57 push edi
:004E18B1 8BFA mov edi, edx
:004E18B3 8945FC mov dword ptr [ebp-04], eax
:004E18B6 8B45FC mov eax, dword ptr [ebp-04]
:004E18B9 E86A34F2FF call 00404D28
:004E18BE 33C0 xor eax, eax
:004E18C0 55 push ebp
:004E18C1 6821194E00 push 004E1921
:004E18C6 64FF30 push dword ptr fs:[eax]
:004E18C9 648920 mov dword ptr fs:[eax], esp
:004E18CC 8B45FC mov eax, dword ptr [ebp-04]
:004E18CF E86C32F2FF call 00404B40
:004E18D4 84C0 test al, al
:004E18D6 7629 jbe 004E1901
:004E18D8 8845FB mov byte ptr [ebp-05], al //把机器码的长度值送入ebp-05
:004E18DB B301 mov bl, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E18FF(C)
|
:004E18DD 8D45FC lea eax, dword ptr [ebp-04] //把机器码的字符串送到EAX
:004E18E0 E8AB34F2FF call 00404D90
:004E18E5 8BF3 mov esi, ebx
:004E18E7 81E6FF000000 and esi, 000000FF
:004E18ED 8B55FC mov edx, dword ptr [ebp-04]
:004E18F0 8A5432FF mov dl, byte ptr [edx+esi-01]//依次把机器码字符串的ASCII值送到BL
:004E18F4 80F207 xor dl, 07 //BL^07h
:004E18F7 885430FF mov byte ptr [eax+esi-01], dl //把结果送回EAX
:004E18FB 43 inc ebx //EBX加1
:004E18FC FE4DFB dec [ebp-05] //ebp-05减1
:004E18FF 75DC jne 004E18DD //机器码未取完,继续循环!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E18D6(C)
|
:004E1901 8BC7 mov eax, edi //到这里注册码计算结束,D EAX=注册码
:004E1903 8B55FC mov edx, dword ptr [ebp-04]
:004E1906 E8D12FF2FF call 004048DC
:004E190B 33C0 xor eax, eax
:004E190D 5A pop edx
:004E190E 59 pop ecx
:004E190F 59 pop ecx
:004E1910 648910 mov dword ptr fs:[eax], edx
:004E1913 6828194E00 push 004E1928

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E1926(U)
|
:004E1918 8D45FC lea eax, dword ptr [ebp-04]
:004E191B E8682FF2FF call 00404888
:004E1920 C3 ret

总结:
这个软件的注册码计算很简单,依次将机器码字符串的ASCII值与07h异或,即可得到,与注册名无关。


内存注册机制作:

中断地址:4E1AAD
中断次数:1
第一字节:8B
指令长度:3
内存方式:EDX
生成即可。

    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程